I am attempting to setup quite a few of our Windows desktops with RDP through PF ... I can setup a port redirect to 3389 or change the port for a particular windows box and port redirect on that port, but I would *really* like to keep the windows boxes on the standard RDP port 3389 and then have the incoming port different (ie 3390, 3391, 3392, 3393, etc).

rdr on $ext_if proto tcp from any to any port 3133 -> 192.168.1.133 port 3389

For the reason: When doing software updates, I operate on the local network and use remote desktop internally ... it would be nice not to maintain a list of each port (not to mention having to modify registry on each computer). I thought of possibly doing a VPN but given the extra configuration on the Windows box + additional support, keeping with just a port redirect RDP seems easier.

Redirection alone is half the story. The redirected traffic must be allowed to continue on to the destination. This will usually work (assuming the target is behind another interface):

Code:

(this takes care of the 'pass in' part on the external side)
rdr pass on $ext_if inet proto tcp from any to $ext_if port 3133 -> 192.168.1.133 port 3389
rdr pass on $ext_if inet proto tcp from any to $ext_if port 3130 -> 192.168.1.130 port 3389
(this will take care of the 'pass out' part on the internal side)
pass out quick on $int_if inet proto tcp from any to 192.168.1.133 port 3389 keep state
pass out quick on $int_if inet proto tcp from any to 192.168.1.130 port 3389 keep state

That does not make sense, no. There is no overlap between the two (you don't have a destination port in the first rule for 192.168.1.133, so the port will stay the same (3133)). In fact 'rdr pass' is a shortcut for an additional pass in rule. It looks like the outside world is connecting straight to 192.168.1.133:3389 without any redirection. Then again, I don't know how you network is set up (router, bridge, nat, interfaces, etc.)

I have the situation...
FreeBSD server with static IP (let say 200.20.21.10), where I have installed Virtual Box with Win XP on it(XP uses bridged interface...I need ping to be available from this windows). So, I trying to connect from other network (let say 201.21.22.11) to virtual windows on freebsd server and when using NAT in Virt. windows as device, will connect on 3389, but can't ping from that windows. When I using bridged interface (rl0) in Virt. windows, can't connect to this Virt. windows using 3389. Windows ip: 190.141.5.10 nm 255.255.252.0

I believe, I need to use pf.conf in freebsd server to forward this port/protocol, when making connection from 201.21.22.11 to Virtual windows (190.141.5.10)

Thanks, any advice appreciated...

PS:From FreeBSD server telneting to 190.141.5.10 on port 23 with no problem

I have FreeBSD server with static IP (exml. 200.20.20.10). where I have running VirtualBox with Win XP on it...with bridged interface (rl0, I need make ping from windows) and IP 190.141.5.10. So I connecting from another network (exml. 201.21.22.11)... When on Virtual Win XP NAT device I will connect to remote desktop, by using Virtual Box NAT forwarding. But when I use Bridge interface (rl0), can't make remote desktop connection from 201.21.22.11. Do I need in this case to use FreeBSD's pf.conf to forward 3389 from 201.x.x.x to 190.141.5.10 though FreBSD's 200.20.20.10?
PS: telneting from freebsd to virtual Win XP (telnet 190.141.5.10 23) successfully...

So, I need to connect from 201.x.x.x:3389 (remote desctop Windows, Unix etc..) (or any other network) to 190.141.5.10 (with bridge rl0, to have ability run ping from windows) though FreeBSD server (200.20.20.10)
Thanks